Name : EasyAV.exe
Path : %WINDOWS%\EasyAV.exe
[ C:\Windows\EasyAV.exe ]
type : Internet
Name : W32.Netsky.T@mm
Alias : W32/Netsky-P, W32/Netsky.P@MM
, Netsky.P, WORM_NETSKY.P, I-Worm.Netsky.P,
WORM_NETSKY.P, W32/Netsky-P, Win32.Netsky.P, Win32/Netsky.Q
level : Medium
EasyAV.exe is dropped by
Netsky.T Worm. It is a
modified variant of Netsky.S worm. Netsky.T worm arrives as
an e-mail attachment. The infected attachment
name, message body and subject is randomly chosen
by the worm.
infected mail subject will be one of the
Re: My details
Re: Thanks you!
Re: Your details
Re: Your document
Re: Your information
infected mail message body will be one of the
I have spent much time for the <random word>.
I have sent the <random word>.
I have found the <random word>.
Your file is attached to this mail.
My <random word>.
My <random word> is attached.
I have spent much time for your document.
Your <random word>. ˇYour <random word>
The requested <random word> is attached!
The <random word>.
The <random word> is attached.
See the document for details.
Please notice the attached document.
Please notice the attached <random word>.
Please have a look at the attached document.
Please have a look at the <random word>.
Note that I have attached your document.
Here is the document. ˇHere is the <random
For more information see the attached document.
For more details see the attached document.
Approved, here is the document.
Please, <random word>.
Please see the <random word>.
Please read the attached document.
Please read the <random word>.
Please read quickly.
infected mail sample is given below
When the worm file is
executed, it copies itself to Windows folder as
"EasyAV.exe". Netsky.T modifies
registry run section to load automatically on the
next startup. The registry modification is given
By default, %WINDOWS% will be C:\Windows in case
of Windows 95/98/ME/XP, C:\Winnt in case of
Windows NT/2000 ]
Netsky.T worm uses its
own SMTP engine to send infected messages. The
worm also removes registry entries created by
Mydoom.A and Mydoom.B worm. It opens port 6789 to
allow access to the infected system.
This Worm is also known
as I-Worm.NetSky.t, W32/Netsky.t@MM, Win32.HLLM.Netsky.based,
W32/Netsky-T, Win32/Netsky.T@mm, WORM_NETSKY.T,
Win32:Netsky-T, I-Worm/Netsky.T, Worm.SomeFool.Gen-2,
W32/Netsky.T.worm, Win32/Netsky.T and Email-Worm.Win32.NetSky.t.
How can I protect my
Solo has incorporated
detection for easyav.exe in its signature file to
protect users from this worm attack. Solo
antivirus registered users are already protected
from this Worm. Make sure that you have installed
registered version of Solo Antivirus to protect
your system from all virus threats.
to remove this Worm?
you are already infected with easyav process, you
can remove it from your computer using Solo
Antivirus software. Use the
following link to Download 30 day trial
version of Solo antivirus to remove
viruses from your computer.
Solo anti-virus not only
scans for all viruses, it contains a unique System
Integrity Checker to protect you from
New Internet Worms, Backdoors and
malicious VB, Java Scripts. It also
effectively removes all existing Internet Worms,
File viruses, malicious VB, Java scripts, Trojans,
Backdoors, boot sector, partition table and macro
purchase Solo antivirus using the link